2.
Readiness “Am I ready for shared services? What do I have to do here to be successful? Are my partners up tothe challenge? Am I?” Experienced CEOs raise these questions often, and properly so. Whether in ourfieldwork or in our classrooms at Harvard, executives want a clear-eyed view of what they’relikely to give, and get, by sharing. They want to understand not just the promise, but also therisk. “Can I get what I’m promised when I need it?” “Can I deliver what I have promised?”“Will it cost me more to produce than what I charge for it?” “Will my partners act responsiblywith what I give them? “How do I gain political support and financial capital for the move?”“Who will settle any disputes that arise?” We have captured what many CEOs have told us, and what we have observed. Wehave distilled them here as the twelve capabilities of effective shared services enterprises. To besuccessful at sharing products and services, every organization, no matter what product orservice they share, must have these capabilities to a specifiable degree How capable they must be is another question altogether. For we also know thatevery sharing scenario has different and even unique requirements for success. For anorganization to be ready for shared services, its particular capabilities must match up to therequirements of its sharing scenario. Many don’t, and that is the problem. Take any three organizations, for example – one uniquely proficient at sharingvehicles via a motor pool, another at sharing health services in a medical facility, another atsharing data over a network in a flu pandemic. We would not expect either to be much goodat the other’s business. But as sharing organizations, we would expect them each to have thesame twelve capabilities, in very different constellations, each tailored just right to therequirements of running a motor pool, or a health facility, or a pandemic alert network. In this paper we identify those twelve capabilities. We provide a framework forclassifying those capabilities to match up against diverse sharing requirements. We don’tanalyze particular industry requirements, except in a cursory way. That is work for particularindustries to do. The corporate “line of business” owners of motor pools, or health facilities,or natural disaster response, for example, can come together, using these twelve capabilities,to agree on the requirements for any enterprise to share products or services successfully inthat domain. What we do offer is a framework by which those groups can define the capabilityrequirements for successful sharing, and by which any individual organization can assess itsown capabilities for sharing against those requirements. With that knowledge, when the callcomes to share products and services, every executive can know whether his or herorganization is truly ready to share.What We Mean When We Speak of Shared Services When we speak of “shared services,” we often think of classic back officeoperations like payroll processing, where a centralized unit handles all payroll matters for anorganization. We can also think of enterprise-wide services like human resources, which hostIT infrastructure to handle employee benefits and attendance records and queries, and also 2

3.
provides enterprise-wide sourcing and staffing services. We can also think of agencies whoshare their records with others -- like motor vehicle records, criminal histories, and schoolattendance. We can think of extended enterprises sharing data on pandemic flus, others sharingdata on ships, crews and cargoes comprising the maritime domain, and others still on supplychain movements in disaster responses. Each of these represents a different mode of sharing. What gets shared can vary– from data and information, to expertise and services, totangible products. Organizations share everything from weather forecasts and fire riskadvisories, to legal services and health services, to print shops, landscaping, and motor pools. How these products and services get shared also varies greatly. It can be overcomputer networks; or delivered in person; or handled by a call center, or interoffice mail,for example; or via web sites, web services, or email. We can think of these as the platformsfor sharing. Each platform has its unique infrastructure and rules, each in turn unique to aparticular product or service. Who shares services can vary, too. Individuals and units within a single agency canshare services. Agencies within the same organization can share; or across organizations andwithin the same jurisdiction; or across jurisdictions but within the same sector; or acrosssectors but within the same political unit, or globally, across political units. There areexamples for all. In every instance, however, there is a producer of a product or service; and a consumer.The producer might be a single agency, or organization, or jurisdiction, or even nation. Theconsumer might be a single agency, or multiple organizations, or governments. Every sharedproduct or service involves a producer-consumer relationship. When services or products are shared varies as well. It might be on a one-time basis,never to be repeated; or an “on-demand” basis, available upon request; or an “always-on”basis. It might be by prior agreement; or under compulsion. It might be as a result of adecree of a governing body, or by a one-to-one agreement. It could be ad-hoc, or regular, orconstant, perhaps in the regular course of business; or perhaps only under extraordinarycircumstances. Why organizations share services – the rationale for sharing – varies, too. Often, it iseconomic: it’s cheaper to do it once rather than many times, so organizations consolidateservices. Sometimes, it’s quality: it’s better to do it one place the same way than many places,different ways. Other times it is to enhance coordination: By giving or getting access to aservice or product, an individual organization can improve its own response to a situation,for example, or the enterprise’s overall response. There are times, also, where the rationale for sharing is transformation: By poolingservices together, for example, organizations create something entirely new and much morevaluable than any could do on their own. When five agencies combine their data about theships, crews and cargos on the world’s oceans, for example, the new view from this newservice transforms the individual data streams into a much more valuable product useful to all.Transformation “is to” coordination as chemical reaction “is to” physical reaction in thelaboratory: we get something entirely new. There are thus a great many varieties and dimensions of shared services. There arealso some important commonalities. There is always a producer and a consumer of the product or 3

4.
service, for example. The product or service always represents an asset – a thing of value –that is the subject of an exchange via a platform of some kind – a computerized alert network,for example, or a walk-in health facility, or a vehicle maintenance garage, or a weekly meetingof designees. Every platform has its own infrastructure and rules, some simple, some incrediblycomplicated. Every exchange takes place within some larger political economy of individualsand organizations where sharing behavior observes social norms, is subject to political powerand process, and has economic costs. All exchanges, lastly, reflect some element ofproducers’ and consumers’ organization strategy: they engage in sharing in order to achieveresults that they can’t without sharing, either by giving or getting a product or service. Take any of these common dimensions away – producers and consumers, anexchange involving valued assets via a platform with unique infrastructure and rules, thepolitical economy of the exchange, the organization strategy of producers and consumers –and we stop understanding shared services, generally, or being able to explain a particularshared service. With so much at stake and involved in sharing, managing its risk is very important toorganizations. Fiscal savings, work quality, workplace happiness, effectiveness at mission,safety and security of people – all can be shaped by whether sharing is done well or badly.The dimensions of risk in any sharing environment are therefore important to articulate.And, it is important for any organization that is contemplating a move to shared services, ofany kind, to understand and manage those risks. “Am I ready for the move to sharedservices?” asks about the gaps between requirements and capabilities, and the risk thatresults.What Makes Sharing Work? Key Capabilities Our research with practitioners in many cross-boundary environments suggests thatthere are twelve major risk areas for organizations making the move to shared services of anykind. These risks most often manifest themselves when capabilities for shared services fallshort of requirements. Sometimes, risk arises, oddly, when these capabilities exceedrequirements. Both kinds of risk are possible. We can therefore speak of the twelve capabilities for success in shared services as afoundation against which leaders can assess their readiness for shared services, whether asproducer or consumer. As each sharing environment has a unique constellation ofrequirements, assessing readiness -- and risk -- means being clear about those requirementsand how one’s own capabilities match up against them.The Twelve Capabilities of Effective Shared Services Enterprises In our experience, executives understand risk intuitively: it’s what they lose sleepover. To introduce the twelve capabilities, we will use the negative language of risk, below,without much explanation. Following, we will revert to a positive explanation of each thetwelve capabilities of effective shared services enterprise.The Twelve Risks of Shared Services Enterprises 4

5.
1. Platform Access Risk Producers and consumers cannot access sharing platforms2. Data Readiness Risk Data to be shared is not visible, usable, understandable3. Legal, Regulatory Risk Sharing behaviors violate law or regulation4. Agreements Risk Partners fail to meet each other’s promises or obligations5. Political Management Risk Leaders fail to navigate political, social and economic shoals necessary to gain authorization, resources, and support6. Financing Risk Financing is inadequate to support the sharing strategy7. Governance Risk Governance structure and process fail to address disputes, joint decision- making8. Strategic Risk The organization strategy has embedded failure: sharing fails to result in the promised value9. Communications Risk Messages fail to reach or affect critical players in desired ways10. Dynamic Auditing Risk Sharing develops gaps and problems in critical success factors that go undetected; opportunities for improvements are missed11. Change Risk Change that is required to assure success is not undertaken12. Resiliency Risk Critical infrastructures, people, or facilities for sharing are exposed to failure by attack, accident, or natural disaster The Twelve Capabilities of Effective Shared Services Enterprises 1. Capability #1 (Platform Access): Producers and consumers have access to enterprise platforms for sharing. Producers and consumers, for example, require network access to use an ERP system. A producer of medical services requires facilities’ access to keep doctors stocked and supplied, and patients must be able to reach the front door. A producer of motor pool services must have access to a vehicle maintenance and storage facility; consumers of those services must have drivers who are appropriately trained and licensed. How much access, when, and at what cost will vary greatly by platform and service. Platform access is a required capability for sharing: producers and consumers must have access – physical, rules-based, or logical -- to the platform over which a service or product is to be shared. 2. Capability #2 (Data Readiness): Data to be shared is visible, usable, and understandable. Certain platforms involve the exchange of data, information, or analysis. Even if there is platform access – say, data producers and consumers all have access to an enterprise service bus that enables them to publish-and-subscribe to data services – still, producers’ data might not be visible, usable, or understandable. That becomes an issue for many data sharing enterprises. Assuring platform access is not sufficient: data must be available. 5

6.
3. Capability #3 (Legal and Regulatory): Producers and consumers share and useproducts and services legally, in compliance with regulations, and ethically. Statutory or otherrestrictions on an exchange of products and services can create legal liability,regulatory violations, or other compliance problems. Unlicensed drivers or medicalservice providers, for example, may ruin insurance coverages; letting non-securedindividuals onto computer networks may cause networks to lose valued securitycertifications. Sharing of confidential health data, data on juveniles, secret or topsecret data, criminal history data, and competitive commercial and industrial datacan create significant legal liabilities. It is important to understand the legal andregulatory issues involved in sharing products and services, and be prepared toaddress them. 4. Capability #4 (Compacts and Agreements): Producers and consumers use compactsand agreements to clarify expectations and obligations. Exchanges create promises andobligations between producers and consumers. Will producers provide what theypromise so that the consumer can use the product or service as hoped for? Willconsumers honor their sides of the bargain by using the service or productcorrectly, so that they create no unanticipated issues for the producer? Who will fixor be responsible for repairs and upgrades? What understandings might be best tolock in by written, verbal, or other agreements? What force will they have, whatissues might intervene when invoking them, and how might we assure compliance,and how would we resolve any disputes that arose? 5. Capability #5 (Political Management): Leadership navigates the political,economic, and social/cultural shoals to gain authorization, resources and support for the sharingenterprise. Social, political, and economic forces – comprising a defined politicaleconomy for the sharing enterprise -- can accelerate or impede attainment of goals.Leadership frames vision and the rationale for action, gains external and internalsupport, forges alliances and addresses conflicts; resources needed capabilities, andenergizes “troops” to move along the chosen path. As the operating environmentsfor sharing services are variably dynamic, ranging from staid corporate networks toin-the-wild multi-party extended enterprises crossing jurisdictions and nations intimes of crisis, leadership may need to be variably adaptive, depending on theparticular requirements of the sharing relationship and its exigencies. 6. Capability #6 (Financing): The enterprise adequately funds needed procurementsand acquisitions. What investments do we require to assure that the exchange cantake place as planned? Such investments could include improving partner platformcapabilities; assuring interoperability of devices and systems; undertaking systemsdevelopment and standard setting. Individual organizations might fund suchdevelopment, or there could be some kind of joint or multi-source funding.Addressing such issues is important. 7. Capability #7 (Governance): The sharing enterprise provides an authority structurefor critical decisioning. Governance pertains to decision-making over the sharingarrangements – including ratification of agreements, managing disputes, addingnew partners, overseeing measurements and metrics, managing costs andprocurement. Governance of a shared service enterprise can be a matter betweenindividuals or groups or even among nations. Structure, processes and rules forgovernance are issues that leaders need to address. 6

7.
8. Capability #8: (Organization Strategy): The enterprise goals are clear, its strategy to attain them sound, and the pathways for action marked. All sharing has a value rationale and an intended outcome. Sometimes it’s a financial savings; other times a quality gain, an improved service capability, or even a complex social outcome (like, “better health” or “safer children”.). Organization strategy is the means by which they propose to attain their goals by correctly aligning resources, authorities, and competencies. 9. Capability #9 (Messaging and Communications): The sharing enterprise communicates effectively with stakeholders and opinion-makers. All shared service enterprises require some ability to create messages about the sharing and to communicate them to stakeholders or interested observers. Sometimes producers and consumers will want to message and communicate with each other; other times to their respective oversight and authorizing bodies, their employees or service recipients, or to news organizations, internal staffs, or government leaders half way around the globe. How best to message and communicate to help achieve the overall goal of sharing a product or service is an issue leaders must address. 10. Capability #10: (Dynamic Auditing) Sharing organizations have awareness of operational performance, scan horizons for issue and opportunities, and are aware of their progress towards goals. In a shared service enterprise, managing overall performance risk is an important issue. Organizations develop and use sensors, measures and metrics., and monitor the status of sharing infrastructures, process, and relationships. They prize awareness of any issues or opportunities and take action as required. 11. Capability #11 (Management of Change and Remediation) : There is a process, structure, and accountability to remediate when change is required When issues arise in measured performance – perhaps costs are running too far ahead of plan, or results too meager against milestones – the sharing enterprise must address this issue. This involves taking steps to assess what is broken, design and implement fixes, and validate their results. Executive sponsorship to repair any tears and remediate any gaps in performance can be essential to success. 12. Capability #12 (Enterprise Resiliency): Critical sharing infrastructures (including people and facilities) are monitored and if degraded by attack, accident or disaster remediated. Some sharing relationships involve critical infrastructure, people and work. Understanding their exposure to attack or disaster, planning for their priority restoration, and monitoring critical systems for aberrant signs can be important. How Much Capability is Required? In sum, enterprises who wish to share must have certain capabilities - capabilities toprovide accessible platforms, make data available, assure legally and compliant conduct,provide for enforceable agreements, provide leadership through political means, assurefinancing, specify adequate governance, test and validate outcomes, message andcommunicate around critical issues, audit operations, change when need be, and provide forresiliency. How much of a particular capability is required will vary from sharing scenario toscenario, and depend on many factors. As leaders consider sharing, they will naturally ask, 7

8.
“Am I ready to share services, whether as producer or consumer?” The answer is, “Dependson the scenario, and your capabilities.” Some sharing, for example, really is not all that complicated. All it takes is ahandshake between two executives and the rest will fall into place behind them. If there isfailure in execution, perhaps not much was at stake, and not much really matters in successor failure. But some sharing is very complicated, with large systems integration, vastconsolidations, global reach of data and services – and with tremendous consequences atstake for people, finances, and performance. If a leader ventures to introduce a shared HRconsolidation, for example, there are certain capabilities for governance, leadership, andfinancing that he and his partners must have to meet that challenge and be successful. If aleader ventures to stand up an extended enterprise of data producers and consumers toaddress an anthrax attack on a mail system, there are certain capabilities which that enterprisewill require to succeed. Capabilities for platform readiness and data availability, messagingand communications, and compacts and agreements will all be tested. We will discuss capability requirements, further, shortly.Summing Up So Far: What We Can Say 1. First, there is great structural commonality among sharing enterprises. We always find producers and consumers involved in an exchange of a product or service, for example, a platform for sharing, a political economy as the sharing environment, and other common structural features. 2. Second, there is a great variety of actual shared products and services. These vary by who produces and who consumes, what product or service is shared, with whom, when, with what intended outcome, among other variables. 3. Third, there is a great commonality among the generic capabilities and risks that sharing enterprises must address to be successful. We have identified twelve. 4. Fourth, there is great diversity as to how capable any particular organization must be to succeed. This depends on the particular sharing scenario and its requirements.III. The Capability Maturity Model Integration® Approach2 When a leader of an organization asks, then, “Am I ready for shared services?” he orshe is asking, “What capabilities are required of me to be successful in this particular service?Am I capable in needed respects? What must I do to ready myself further?” We can now go on to describe ways to address those questions. Important work hasbeen done in framing these challenges at Carnegie Mellon University, under contract to2 CMMI is registered in the U.S. Patent and Trademark Office by Carnegie Mellon University 8

9.
DARPA.. While researchers have not specifically focused on shared services, the CMUapproach – called Capability Maturity Model Integration (CMMI®)-- is valuable as an analogueand framework. The CMMI® methodology describes certain capabilities that organizations can besaid to have, and to require, to manage any set of complex challenges – from fixing softwareto fixing bicycles to developing new combat platforms for America’s fleet. A process capabilityis a way of approaching a problem to deal with it. CMU’s work describes processes as increasingly“mature” -- ranging from ad hoc – we invent a solution on the fly to deal with a problem thatarises, for example, – through defined and quantitatively managed, to highly systematized, that is,anticipatory, formalized, repeatable, geared towards total optimization for all interests withstakes in the solution, and measurable as such. Software engineers developed the CMMI® methodology to solve quality problems insoftware development. Before we can use it in the services sphere we must adapt it to thatworld so that we are not stuffing square pegs into round holes. We need to observe sevenfeatures of our shared services terrain, in particular, which are relevant to the models’ use. First, sharing enterprises must articulate their own requirements for success. Everyshared service enterprise has requirements which can be specified in terms of the twelvecapabilities that we have brought forward. For some enterprises, we know a lot about those requirements – there have beenmany successful attempts, and some failed (and sometimes many failure and only a fewsuccesses!). For example, the challenge of standing up a centralized HR operation is fairly well-known, as is that of consolidating a motor pool or print shop. However, novel sharingarrangements may have unknown or poorly defined requirements. In these instances, thetask of assessing readiness requires that enterprise partners take the time to specify thoserequirements. Individual organizations can assess their own capabilities against them, andtake action to remedy any over- or under-readiness. Second, in addition to understanding the generic requirements for sharing, enterprisesare obliged to articulate the unique local requirements. That is because the local constellationof factors that determine success – the local issues of financing, governance, or politicalmanagement, for example – give decisive local “flavor” to the political economy of any sharingscenario. While most sharing scenarios have generic capability requirements – all “HR ops”consolidations have certain “nuts-and-bolts” recurring features, for example -- every sharingscenario also has great local variation. There is no “one-size fits all” in this game. The lightswill flash “Game Over” if leaders proceed as if Duluth were Des Moines, or Newport Newswere New York. Third, there is always some gap (except, see below) between the capabilities that arerequired, and what an organization, or an enterprise, is capable of. For example, governance is one of the twelve capabilities that any sharing scenariorequires. Looking at their capabilities, partners to a HR consolidation might notice that theydon’t yet have a governance arrangement mapped out. Whoops! We know that ad hocgovernance arrangements create real problems in the environment of a HR consolidation.Managing the governance risk appropriately for a HR consolidation requires having a muchmore sophisticated capability – a capability for governance that is proceduralized, 9

10.
systematized, and can be said to optimize, in its own process, for the benefit of theenterprise. Until these partners work out a more sophisticated governance plan, they are notready for the HR consolidation. Just as importantly, in another example, the FBI and a city police department mayplan to cross-designate investigators (another sharing mode!) for the purpose of a joint lawenforcement investigation. The CMMI® models let us see that, looking at all the capabilitiesthat are required, they may be able to get along just fine with an ad-hoc governance process.That is, their process capability for governance is adequate to the requirement. They don’t need moreprocess than they have. In terms of governance risk and capability, rather, the FBI and thelocal police department are “good to go”. Fourth, not all gaps “are created equal”. Some matter a lot, some not much at all;some are really expensive in terms of resources and time to fix; some are easy. There willalways be gaps, because performance must be understood in human terms, and that is notalways wonderfully or precisely measurable. Which gap you work on first or hardest dependson your tolerance for risk, your sensitivity to cost, and other factors. Fifth, capable organizations seek the correct fit between capabilities and requirements.They do not seek to optimize of all processes, for example – just those that require it. It isentirely possible that success may require only ad-hoc processes capability in some capabilityareas, but optimizing capability in others. Organizations can over-prepare by seekingoptimization, for example, where ad hoc will do just fine. Correlatively, it is entirely possible for an organization to be variably ready across thetwelve capabilities. Think of the twelve capabilities as your readiness portfolio. You can be readyin some capabilities, but ill-prepared in others. Sharing may require no more than ad hocgovernance capability, for example, and that’s exactly the capability level of the enterprisepartners. However, their enterprise may require more systematic approaches to platformaccess, data readiness, or outcome assurance, for example, and cannot settle for ad hoccapability. An organization can be variably ready across the twelve capabilities. Sixth, there is a commandment here, and it works as well for organizations andenterprises as it does individuals: Know thyself. The known requirements for success, weighedagainst capabilities, create an imperative for leaders to assure overall readiness. Whether juststarting out, expanding, or winding down sharing, readiness is the obligation of leadership.These known requirements in effect caution leaders, “Look, if you’re going to take this on,here are the requirements of success. Are your capabilities up to it? Get ready before youmove.” So requirements have a normative aspect to them: they impel leaders to assure thattheir enterprise is ready.Summing up then, the CMMI models give us a framework for assessing capabilities forsharing as against requirements. They give us a view, in other words, to enterprise readiness. TheCMMI® framework can and should be used both descriptively and normatively, in threeways: • First, to describe the requirements of the sharing scenario for the capabilities of the sharing participants • Second, to describe the sharing participants’ actual capabilities 10

11.
• Third, prescriptively, to assess how the capabilities of participants match up against the requirements of the scenario – that is, whether the partners are ready to share.Conclusions We have described a great variety of sharing configurations, and twelve capabilitiesof sharing enterprises. We have suggested that the CMMI® framework gives us a good way,further, to map actual organization capabilities against sharing scenario requirements on aprocess spectrum ranging from ad hoc to optimizing. We have noted, further, that for each of thetwelve capabilities, organizations may be “good to go” for some capabilities (i.e., they’re atad-hoc governance and need nothing more) to “better hold” for others (i.e., they’re at ad-hocgovernance but need to be optimizing). Lastly, we have observed that a sharing scenario canrequire a different process levels for each of the twelve capabilities – some ad hoc, othersnot, for example. Similarly, an organization is likely able to deploy only ad-hoc processes forsome capabilities, and optimizing processes for others. 11